An industrial control system (ICS) generally may be divided into three layers, i.e., a field layer, a control layer and a supervisory control layer. The field layer may comprise various industrial equipments and sensors, and the sensors may sense operating conditions of the industrial equipments and transmit the sensed data to the control layer. The control layer may comprise a slave device, e.g., a programmable logic controller (PLC), which is configured to control the operation of the industrial equipments of the field layer and transmit data sensed by the sensors to the supervisory control layer via a gateway. The supervisory control layer may comprise a master device, e.g., a human machine interface (HMI) and/or a supervisory control and data acquisition (SCADA) system, for remotely supervising and controlling the operation of the whole industrial system.
For packet transmission between the supervisory control layer and the control layer in the industrial control system, most of current communication network protocols are regulated by mechanisms that need no authentication such as plain code transmission, broadcasting or the like, so the industrial control system is particularly vulnerable to attack or intrusion from third parties such as detection, response injection, command injection and paralyzing service or the like. Besides, the conventional industrial control system does not have a mechanism that is specially configured to detect or identify the attack or intrusion from the third party, so the damage to the conventional industrial control system caused by the attack or intrusion from the third party is more serious. Accordingly, an urgent need exists in the art to detect whether the industrial control system is subjected to the attack or intrusion of the third party.